Received: by 2002:a05:7412:bbc7:b0:fc:a2b0:25d7 with SMTP id kh7csp2386842rdb;
        Mon, 5 Feb 2024 05:14:19 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFwUx/osfQDn/r/qCU9iQOCjPEkO8WRVTG0Ege0r2Z+ZVi/OioZr1liXjA/DaNRDHbYFcPR
X-Received: by 2002:aa7:da94:0:b0:55f:e894:866b with SMTP id q20-20020aa7da94000000b0055fe894866bmr4064460eds.40.1707138859162;
        Mon, 05 Feb 2024 05:14:19 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707138859; cv=pass;
        d=google.com; s=arc-20160816;
        b=PnfmlbHOSm2+DxeLM0Kx+O+KW+GiI2ekStOe6+ZAI+/qSwTi788lyr7zfst+Iykvpg
         DlGrmHJKS0myslSo0nSa/7QM9wIrtFxEYUSCfQiHzDB7f6MTBoZ6Z07OUKlBOoQwA+81
         bCnr5PMq+nFhE0QAHv7bQE0J3uhN9rThMGTATZtH7wuWRPvIp/43i6UTUdqVNvUtLbjd
         KasQq55YJuioeVztVYsQK5ntTTdZb4/dFSUSHB4LyQAGn0ogOFe9G8hVukMn1EovMXCb
         zRix4nGOVrYcSgokJjK+qnBw033Gz3f6fbeQ/+PCmpZD4hkuu8C5xw7ZaC/+sVoVDvYi
         o7yA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :dkim-signature;
        bh=kgO66v67ga2hZ/fa1VFxPxUYTn/f70qrUJZfQyHF9yA=;
        fh=BC/bA4Ddh7fldUUYxQz1mujiHJjF/GRplAIaFxoOqFA=;
        b=kPetSRoz5g/CCnOKRXaKlg8gbQKq65RdJ+aTWVS06rQnLoPgGXmbUJljBBoZOcL6f4
         YJygLM3NmoNiQNVWt/klyr0kqIGAmccwnc73n5bqL6t/cWF87hflr58Vyfth7IOaCp5I
         fs3zoOdhMA3Jr5t6hBQWX7QY7+2PTBYnLuO6SYmJqC1sLtGth0ZdQtI+x9n1oaI3mHOO
         k51CvecAmFrtdKDDElgDDQ+gKnL+0lbAyJZyYTAE64nakCiQAQRg8s0CZn65Io85Jx1l
         JnVbZNMtYMBoRmtevZ3Eq6Miwq386MwwJdVq5bMUpKK5hyB29bMIV6weg8Ozgq5lfXev
         X0ew==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=bBdQmjDS;
       arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com);
       spf=pass (google.com: domain of linux-kernel+bounces-52690-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-52690-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
X-Forwarded-Encrypted: i=1; AJvYcCUYyInr/5Z22kDmiZq2cO4FRZgIXcwKYfEhlf4H0W0CWYthpF6AH05Yh8OKT+fyOeu3jJU07xzyKSwJoS3/3m7RBTrQVKs2Xs4bRQsbDw==
Return-Path: <linux-kernel+bounces-52690-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id q8-20020a50cc88000000b0055cf4ac3414si3844529edi.62.2024.02.05.05.14.19
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 05 Feb 2024 05:14:19 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-52690-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20230601 header.b=bBdQmjDS;
       arc=pass (i=1 spf=pass spfdomain=google.com dkim=pass dkdomain=google.com dmarc=pass fromdomain=google.com);
       spf=pass (google.com: domain of linux-kernel+bounces-52690-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-52690-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id C226F1F23E0D
	for <linux.lists.archive@gmail.com>; Mon,  5 Feb 2024 13:11:41 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 675481CD0F;
	Mon,  5 Feb 2024 13:11:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="bBdQmjDS"
Received: from mail-ua1-f54.google.com (mail-ua1-f54.google.com [209.85.222.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 00AD422EF0
	for <linux-kernel@vger.kernel.org>; Mon,  5 Feb 2024 13:11:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.54
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1707138665; cv=none; b=ujPniwZX++1EeYFYEkOrY3aUJEfRY5Ct8e2A+4mh/sDh9l7AuaDIwQaXYUfDC0Gr7KQpoNe1NyWmyEwcLLUuny47y8A9GcCF4nxtp0/veqWtbd8oMGdzKQptVuVNXNFipdA5Zj7li1/6b0LJ486BhzHBUsteNM8pCBHa7wLfybw=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1707138665; c=relaxed/simple;
	bh=8xEKAj/aIXoAnef6WCYeb1etalNTieAd05i+DkQi20o=;
	h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:
	 To:Cc:Content-Type; b=UINsD6bdmsLTejNWZLNMyDcQhzezemkGcqaF9SDZZGEODEur0CZ0piJ1eZkj9j7KeiRN8fX0NHjILrogpxWT6QSWiGZ5KIGa+1lbQiHAto0VyIRUWe2klNfULn4i3zxT9Wx3E2VCAwCzkf7LvE+R9Id4/RuWcoPjPy/WGZB1rSo=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=bBdQmjDS; arc=none smtp.client-ip=209.85.222.54
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com
Received: by mail-ua1-f54.google.com with SMTP id a1e0cc1a2514c-7d5bbbe5844so1902476241.0
        for <linux-kernel@vger.kernel.org>; Mon, 05 Feb 2024 05:11:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1707138663; x=1707743463; darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=kgO66v67ga2hZ/fa1VFxPxUYTn/f70qrUJZfQyHF9yA=;
        b=bBdQmjDSnnkWD5f1QtQfnNPLrvNXSidpvjrE8+RIApgvH2HKizXXrMUh00mjc8DvCt
         0uWD3IiASEdE+OaouQPasLRBYGy7GPQS4VFIulh9aa7qBIGAlYT0lhbkaztXGVQmoi95
         nH3VQDKDQ45KtC9Q0GoNsinbGjpAIOT5KLcUVQTUSynRcODRAvBReUkh5EfK0isEGbC0
         ss1WFU3SRdB3YxF2LjxnnAbHp9a9cThGow+xNeDPZHBohqIHlQq8Ix0wlQdzjhzGOzsW
         dUSMCivz48FGXUHIAKWnF87ayITJSgWEyzxtoJwacYBDZZhKUvjPFWVpWfewdGzsh6qt
         BZIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1707138663; x=1707743463;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=kgO66v67ga2hZ/fa1VFxPxUYTn/f70qrUJZfQyHF9yA=;
        b=X02qpOSr9+/qBChlfcn1SI09pfnWEt9Gz2HVvwMZ2gtZwdE7nfy/Q7jxmDwyf/LSGk
         I9Thl/+CMks/Js1Rf09g0f7ayEonoMHzHhJIVKkz1R+AmrWF5/X3o6swXBGQ6CWgqGH7
         bC5MESa4ZozpHIvACV6WV3aPlnjV0n7FQB5rpaUMyF4ByuOp/sR1GbaEjd1pFqUjLYLa
         DzVqaNeSxvXIr/PeydaQQ6cvacEQvPg8tR1WVmOWWwJpdBdsYFJLHmb6vsjjL2/5psT7
         IAII6+k+U55fhYJRMZerExU6KrhuFoErSX1WPOkwXRXAuFzK7Inom0HUIY6Wqc4ZZtKE
         nsag==
X-Gm-Message-State: AOJu0YxedK65AoONSqrJRRdHEL2t/6TG+kkWZDq7xV12DEBmkK7dONTN
	fiNzJcKPho7EvcpylAKVIhW9Y+u0rpDYjust67DBgGUL08yG7iwlqlW7jI0NLsn9+7s01ORf/lW
	y63BTRJD3cOUvYUN95ctKLC2JkzcSCUAqj7c4
X-Received: by 2002:a05:6122:4d14:b0:4c0:1cc8:8819 with SMTP id
 fi20-20020a0561224d1400b004c01cc88819mr2759261vkb.5.1707138662522; Mon, 05
 Feb 2024 05:11:02 -0800 (PST)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
References: <20240205093725.make.582-kees@kernel.org> <67a842ad-b900-4c63-afcb-63455934f727@gmail.com>
 <202402050457.0B4D90B1A@keescook>
In-Reply-To: <202402050457.0B4D90B1A@keescook>
From: Marco Elver <elver@google.com>
Date: Mon, 5 Feb 2024 14:10:26 +0100
Message-ID: <CANpmjNMiMuUPPPeOvL76V9O-amx9uyKZYtOf5Q2b73v8O_xHWw@mail.gmail.com>
Subject: Re: [PATCH v3] ubsan: Reintroduce signed overflow sanitizer
To: Kees Cook <keescook@chromium.org>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>, Justin Stitt <justinstitt@google.com>, 
	Miguel Ojeda <ojeda@kernel.org>, Nathan Chancellor <nathan@kernel.org>, 
	Peter Zijlstra <peterz@infradead.org>, Hao Luo <haoluo@google.com>, 
	Andrey Konovalov <andreyknvl@gmail.com>, Andrew Morton <akpm@linux-foundation.org>, 
	Masahiro Yamada <masahiroy@kernel.org>, Nicolas Schier <nicolas@fjasle.eu>, 
	Nick Desaulniers <ndesaulniers@google.com>, Przemek Kitszel <przemyslaw.kitszel@intel.com>, 
	linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, 
	linux-hardening@vger.kernel.org, linux-kbuild@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"

On Mon, 5 Feb 2024 at 13:59, Kees Cook <keescook@chromium.org> wrote:
>
> On Mon, Feb 05, 2024 at 01:54:24PM +0100, Andrey Ryabinin wrote:
> >
> >
> > On 2/5/24 10:37, Kees Cook wrote:
> >
> > > ---
> > >  include/linux/compiler_types.h |  9 ++++-
> > >  lib/Kconfig.ubsan              | 14 +++++++
> > >  lib/test_ubsan.c               | 37 ++++++++++++++++++
> > >  lib/ubsan.c                    | 68 ++++++++++++++++++++++++++++++++++
> > >  lib/ubsan.h                    |  4 ++
> > >  scripts/Makefile.lib           |  3 ++
> > >  scripts/Makefile.ubsan         |  3 ++
> > >  7 files changed, 137 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> > > index 6f1ca49306d2..ee9d272008a5 100644
> > > --- a/include/linux/compiler_types.h
> > > +++ b/include/linux/compiler_types.h
> > > @@ -282,11 +282,18 @@ struct ftrace_likely_data {
> > >  #define __no_sanitize_or_inline __always_inline
> > >  #endif
> > >
> > > +/* Do not trap wrapping arithmetic within an annotated function. */
> > > +#ifdef CONFIG_UBSAN_SIGNED_WRAP
> > > +# define __signed_wrap __attribute__((no_sanitize("signed-integer-overflow")))
> > > +#else
> > > +# define __signed_wrap
> > > +#endif
> > > +
> > >  /* Section for code which can't be instrumented at all */
> > >  #define __noinstr_section(section)                                 \
> > >     noinline notrace __attribute((__section__(section)))            \
> > >     __no_kcsan __no_sanitize_address __no_profile __no_sanitize_coverage \
> > > -   __no_sanitize_memory
> > > +   __no_sanitize_memory __signed_wrap
> > >
> >
> > Given this disables all kinds of code instrumentations,
> > shouldn't we just add __no_sanitize_undefined here?
>
> Yeah, that's a very good point.
>
> > I suspect that ubsan's instrumentation usually doesn't cause problems
> > because it calls __ubsan_* functions with all heavy stuff (printk, locks etc)
> > only if code has an UB. So the answer to the question above depends on
> > whether we want to ignore UBs in "noinstr" code or to get some weird side effect,
> > possibly without proper UBSAN report in dmesg.
>
> I think my preference would be to fail safe (i.e. leave in the
> instrumentation), but the intent of noinstr is pretty clear. :P I wonder
> if, instead, we could adjust objtool to yell about cases where calls are
> made in noinstr functions (like it does for UACCESS)... maybe it already
> does?

It already does, see CONFIG_NOINSTR_VALIDATION (yes by default on x86).